A group of researchers at the Stanford Internet Observatory has determined that Clubhouse’s data protection practices allowed its users’ data, possibly including their raw audio, to potentially be accessed by the Chinese government.
In a new report, SIO researchers reveal that Clubhouse uses Chinese company Agora, which provides a real-time voice and video engagement platform, to supply its back-end infrastructure. This means that Clubhouse uses Agora’s platform for the “nuts-and-bolts” infrastructure of its app.
Here’s where it starts gets alarming: the SIO researchers found that when users join a channel on Clubhouse, a packet containing metadata about each user is sent to Agora’s back-end infrastructure. The metadata includes users’ unique Clubhouse ID and the room ID they’re joining. It is not encrypted, “meaning that any third-party with access to a user’s network traffic can access it.”
“In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel,” the researchers wrote.
Additionally, researchers found that Agora would likely have access to Clubhouse’s raw audio traffic. This means that if the audio isn’t end-to-end encrypted—something the SIO says is “exceedingly unlikely”—Agora could intercept, transcribe, and store the audio.
Some of you might be wondering why it matters whether Clubhouse has a Chinese provider, which also has offices in Silicon Valley. This is extremely important because it means that Agora must comply with China’s cybersecurity law. The researchers point out that Agora itself conceded that it would be obliged to provide China with assistance and support in matters related to national security and criminal investigations. In other words:
“If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it,” they wrote.
Per the report, Agora claims that it does not store user audio or metadata, except to monitor network quality and bill its clients. However, researchers note that it is still theoretically possible for the Chinese governments to tap Agora’s networks and record the user data.
Agora told Reuters on Saturday that it had no comment on any relationship with Clubhouse. A spokesman said that it does not have access or store personal data and that it does not route voice and video traffic generated outside China, including traffic from U.S. users, through China.
Gizmodo reached out to Agora for comment on the researchers’ findings. We’ll update this blog if we hear back.
The SIO highlighted the potential risk faced by mainland Chinese users of Clubhouse if the government were able to identify the app’s users, especially given the recent activity on the app in the country. Before the government blocked it earlier this week, Chinese users on the app openly discussed the Uighur concentration camps in Xinjiang and the Tiananmen Square protests, among others, topics which are restricted in China.
This identification of users by the government could lead to reprisal and punishment, or even veiled threats.
“Conversations about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity. They have qualified before,” the researchers said.
Researchers decided to reveal these security issues because the flaws were easy to find. In addition, they said that the issues pose immediate security risks to Clubhouse’s millions of users, particularly those in China. The SIO team also discovered other security flaws that it reported to Clubhouse privately and said it would reveal them when they were fixed or after a certain deadline.
Clubhouse responded to the SIO report and said it was “deeply committed to data protection and user privacy.” The app stated that although it did not launch Clubhouse in China, some had found a workaround to download the app, and that “the conversations they were a part of could be transmitted via Chinese servers.”
In the response, which the researchers published in full, Clubhouse said that the researchers had helped them identify areas where it could strengthen its data protection.
“For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client,” Clubhouse said. “Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers.”
Gizmodo reached out to Clubhouse for a comment on the SIO report. We’ll make sure to update this blog if we hear back.